Taegis Watchlist

The Secureworks® Taegis™ Watchlist detector applies a Secureworks Counter Threat Unit™ (CTU)-curated ruleset to detect threats. This watchlist applies to normalized telemetry sourced from any ingested data source.

These rules concentrate on normalized endpoint telemetry, but also contain converted IDS rules applied to HTTP/DNS events, and several others.

Note

On June 8th, 2023, the TDR Watchlist detector was renamed to Taegis Watchlist. Detections produced prior to this date have the detector name TDR Watchlist enriched on their detection detail and detection JSON view.

Taegis Watchlist Detection

Requirements

This detector requires the following data sources, integrations, or schemas:

• All telemetry normalized into XDR schemas

Inputs

Detections are from the following normalized sources:

• All telemetry normalized into XDR schemas

Outputs

Detections from this detector are pushed to the XDR Detection Database and Detection Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

MITRE mapping is based on the relevant watchlist. Check the detection for the specific mapping.

Detector Testing

This detector does have a supported testing method.

See Taegis Watchlist Detections for testing information.

FROM detection WHERE metadata.creator.detector.detector_id='app:event-filter'

References

• Schemas
  • Auth
  • CloudAudit
  • DNS
  • Email
  • File Modification
  • HTTP
  • Management
  • Netflow
  • NIDS
  • Process
  • Registry
  • Third Party